- Grumpy Educators
- Grumpy Opinions
- Washington Critters
Tomorrow may not be a grea day for Freedom of Speech in America,
Congress is scheduled to vote on their latest attempt to regulate the Internet, Cyber Intelligence Sharing and Protection Act. The first problem with the law is that it excludes itself from laws designed to protect the public’s privacy rights, and the rights granted to American citizens under the Constitution. You will have no way of knowing if your rights has been violated, you have no control over how your personal information is gathered or shared between participating super corporations and the federal government
All someone has to do is claim they were investigating cyber security concern. You have no right to question anything. Law exempted itself from Freedom of Information Laws. This essentially allows private corporations leeway to investigate individuals in ways the Constitution and the courts don’t allow the government to engage in. What is wrong with this picture?
Large companies like Facebook face a very real cyber security threat, this law could help protect them and they would like to see it passed. Cities companies are more than willing to promise you that they would never misuse your personal information. The government is pointing out that the corporations would have to voluntarily share information with them, that way they can claim that they’re not violating either Privacy Laws or the U.S. Constitution
Realistically if a Corporation happens to be in need of a permit, a license or finds itself facing some sort of regulatory investigation they will be more than willing to share any information with the federal government federal government might ask for..
Trevor Timm at the Electronic Freedom Foundation has been following this closely and knows a lot more about it than I do. He had this to say..
This week, EFF—along with a host of other civil liberties groups—are protesting the dangerous new cybersecurity bill known as CISPA that will be voted on in the House on April 23. EFF has compiled an FAQ detailing the how the bill’s major provisions work and how they endanger all Internet users’ privacy.
UPDATE: The White House released a statement on Tuesday criticizing CISPA and said any cybersecurity bill with information sharing provisions “must include robust safeguards to preserve the privacy and civil liberties of our citizens.” The White House declared they would not support a bill that would “sacrifice the privacy of our citizens in the name of security.” Below are all the ways CISPA would violate that principle.
What is “CISPA”?
CISPA stands for The Cyber Intelligence Sharing and Protection Act, a cybersecurity bill written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws. Because the bill is so hotly debated now,unofficial proposed amendments are also being circulated and the actual bill language is in flux.
Yes. Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook.
Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications. Communications service providers may only engage in reasonable monitoring that balances the providers’ needs to protect their rights and property with their subscribers’ right to privacy in their communications. And these laws expressly allow lawsuits against companies that go too far. CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability. This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.
CISPA has such an expansive definition of “cybersecurity threat information” that many ordinary activities could qualify. CISPA is not specific, but similar definitions in two Senate bills provide clues as to what these activities could be. Basic privacy practices that EFF recommends—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a “threat” under the Senate bills. As we have stated previously, the bills’ definitions “implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.”
A more detailed explanation about what could constitute a “cybersecurity purpose” or “cyber security threat indicator” in the various cybersecurity bills can be read here.
Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.
Almost nothing. CISPA would affirmatively prevent users from suing a company if they hand over their private information to the government in virtually all cases. A broad immunity provision in the proposed amendments gives companies complete protection from user lawsuits unless information was given to the government:
(I) intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification; and
(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.
As Techdirt concluded, “no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.” This proposed immunity provision is actually worse than the prior version of the bill, under which companies could be sued if they acted in “bad faith.”
Under CISPA, companies are directed to hand “cyber threat information” to the Department of Homeland Security (DHS). Once it’s in DHS’s hands, the bill says that DHS can then hand the information to other intelligence agencies, including the National Security Agency, at its discretion.
Yes. When the bill was originally drafted, information could be used for all other law enforcement purposes besides “regulatory purposes.” A new amendment narrows this slightly. Now—even though the information was passed along to the government for only cybersecurity purposes—the government can use your personal information for either cybersecurity ornational security investigations. And as long as it can be used for one of those purposes, it can be used for any other purpose as well.
Up until last Friday the answer was yes, and now it’s changed to maybe. In response to the overwhelming protest from the Internet community that this bill would become a backdoor for SOPA 2, the bill authors have proposed an amendment that rids the bill of any reference to “intellectual property.”
The bill previously defined “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” Now the text reads:
(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information
But it is important to remember that this proposed amendment is just that: proposed. The House has not voted it into the bill yet, so they still must follow through and remove it completely.
A more detailed explanation of how this provision could be used for copyright enforcement and censoring whistleblower sites like WikiLeaks can be read here.
CISPA does allow users to sue the government if they intentionally or willfully use their information for purposes other than what is described above. But any such lawsuit will be difficult to bring. For instance, the statute of limitations for such a lawsuit is two years from the date of the actual violation. It’s not at all clear how an individual would know of such misuse if it were kept inside the government.
Moreover, suing the government where classified information or the “state secrets privilege” is involved is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit over Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the NSA—a likely recipient of “cyber threat information.” Despite six years of litigation, the government continues to maintain that the “state secrets” privilege prevents the lawsuit from being heard.
Given that DHS is notorious for classifying everything—even including their budget and number of employees—they may attempt to prevent users from finding out exactly how this information was ever used. And if the information is in the hands of the NSA and they claim “national security,” then it would get even harder.
In addition, while CISPA does mandate an Inspector General should issue a report to Congress over the government’s use of this information, its recommendations or remedies do not have to be followed.
Facebook and other companies have endorsed this legislation because they want to be able to receive information about network security threats from the government. This is a fine goal, but unfortunately CISPA would do far more than that—it would eviscerate existing privacy laws by allowing companies to voluntarily share users’ private information with the government.
Facebook released a statement Friday saying that they are concerned about users’ privacy rights and that the provision allowing them to hand user information to the government “is unrelated to the things we liked about HR 3523 in the first place.” As we explained in our analysis of Facebook’s response: the “stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.” Read moreabout why Facebook should withdraw support from CISPA until privacy safeguards are in placehere.
It’s vital that concerned Internet users tell Congress to stop this bill. Use EFF’s action center to send an email to your Congress member urging them to oppose this bill.
We’re also joining other civil liberties organizations in Stop Cyber Spying Week, a week of action to protest CISPA. The goal of this week of action is simple: get Congress to back off of any cybersnooping legislation that sacrifices the civil liberties of Internet users. We’ve set up a dedicated Twitter tool to help Internet users tweet messages to their Congressional representatives opposing CISPA.
Want to do more to help us fight back against this cyberspying legislation? Click here for more suggestions.
This was re-posted under a Creative Commons License, you don’t need permission to republish it, just be sure and provide a link back to Electronic Freedom Foundation